Firefox/Features/Web Payments/Privacy & Security Considerations

From MozillaWiki
Jump to: navigation, search

Some things to keep in mind while working on Payment Request relating to privacy/security:

  • avoid leaking the user's shipping address before payment (as much as possible) while still allowing shipping option calculations (both shipping methods and shipping availability)
    • Implement a minimum amount of time to show the dialog in the event of a .show followed by an immediate .abort (if we leak an address on .show) to reduce abuse.
    • Do not leak the user's address changes via preferences to merchants with open PaymentRequest dialogs having the edited address selected.
  • navigations away from a page showing a Payment Request dialog should either be prevented or the dialog should abort.
  • attacks where the user is tricked into interacting with the Payment Request dialog (e.g. clickjacking)
    • The pay button should probably have a security delay
  • security state of the page e.g. HTTPS vs. HTTP, invalid certificate, etc.
    • Only allowed on secure contexts. Should we disable for cert overrides? What about for developers?
    • Most relevant for payment information
  • Private browsing mode
    • default to not saving new addresses
    • don't update storage metadata
    • don't leak the user's shipping address without clear understanding
    • don't remember the last used address for the site
  • Integrate with Clear Recent History / Sanitizer?
    • N/A for basic-card
  • Don't save the CVV anywhere (including form history)
  • Master password: Require entry before every use of the plaintext card number
  • Spoofing issues from showing page generated strings in a privileged dialog
    • e.g. we should constrain the amount of space that the untrusted strings can take on the screen and handle special characters e.g. whitespace and new lines carefully
    • We need to be careful about all the error strings passed from the merchant, especially the generic error string.
  • Handle abusive pages repeatedly showing a payment request dialog (e.g. holding the user hostage until they pay).
    • The proposed design will allow the user to close the whole tab while the dialog is open
  • What happens if the dialog appears during DOM or UI fullscreen?
  • What happens if the dialog appears in different variants of popup windows? (consider features)
  • Handle all kinds of malicious strings
    • e.g. BIDI merchant origin display